participant profile / clearbit / privacy issues

[imajes]

I searched for anything related and didn't spot anything obvious. However...

I noticed that N1 is using clearbit to lookup information about users you are interacting with, as part of the participant-profile package. Unfortunately, this package is non optional, so it's not possible to disable this API lookup.

This is quite a privacy violation -- it's leaking the full sender information to clearbit, without any way for the user to choose whether or not they are OK with this. Fortunately, it's all over SSL.

Also, why is there no cache of this at all? Even if for a session-only cache -- the data is requested repeatedly.

Related to this is the nylas-private-analytics package, which I assume is simple usage data, but again is not possible to opt-out, which is really poor privacy and user engagement.

For a company which has a full copy of ALL my email, i'd prefer to see a stronger commitment to protecting my privacy.

[KevinMartin]

This project is open source. You can fork it, remove the the packages you don't like, then run it. ;)

[bengotow]

Hey—thanks for the feedback! As always, you're welcome to fork the project if you'd like to create your own build that excludes certain features.

The Clearbit data is cached client-side while the app is open, but only if Clearbit returns a "final" response for a particular address (a 200 rather than a 202). That may have been what you were seeing. It's also worth noting that the requests are proxied through our infrastructure, so your Clearbit API requests are indistinguishable from others when they reach Clearbit. They all come from the same IP address and contain no information about you, only the recipient email.

We're committed to protecting your mail data (see nylas.com/security), but we're also committed to building the best mail experience, which involves long term planning based on the vast majority of consumers and quantified assessment of which features people use, how fast the app is performing in the wild, etc.

Thanks!

[alexanderadam]

@bengotow does this mean that you will never close this issue?
Could you please list all the cases when and where your servers are called and why it ?

@imajes did you find any fork or other solution?

Privacy issues seem to be a big topic here although these tickets are always closed by Nylas members ( i.e. #1082, #1681, #1339, #1444, #2432 or #2432 )

[franzos]

I completely agree with some of the previous comments:

By the way: By installing Nylas Mail, you agree that your email contacts will be send to the third party service clearbit.com. Accept this, fork and modify or leave.

Doesn't sound fun at all!

Now let's have a closer look at what clearbit.com does with the millions of emails you send them on a daily basis: "We may disclose your Personal Information to law enforcement, government officials, or other third parties" and "in the event of a merger, acquisition, reorganization, bankruptcy, or other similar events, any information in our possession may be transferred to our successor or assign".

The fact that this is an open source app, makes this sort of privacy invasion even worse. What's easy for me to do (either block the connection or rebuild the app), isn't nearly as easy for probably 90% of the world population. So, we're making the assumption that

a) they are happy with their emails being send to clearbit
b) if they are not, they will simply fork the app or move on

I'd suggest to simply allow users to turn this off and be done with it. What's the problem?

[franzos]

@alexanderadam from what I can see, Nylas Mail calls the following servers:

Nylas Mail via Nylas Mail Helper

n1.nylas.com - probably billing / sends info about Nylas Version, OS
clearbit.com - via proxy, Nylas Mail sends Email address to clearbit.com
api.segment.io - link and click tracking notification?
k.root-server.net
f.root-server.net
j.root-server.net
omniprox-3.nylas.com - proxy for clearbit.com?
192.228.79.201
192.203.330.10
198.97.190.53
199.7.83.42
192.112.36.4
192.36.148.17
192.36.148.17
192.33.4.12
198.41.0.4
imap.fastmail.com - my email provider, OK
smtp.fastmail.com - my email provider, OK

Nylas Mail

sentry.io - error reporting?
omniproxy-3.nylas.com
n1.nylas.com - probably billing / sends info about Nylas Version, OS

Apparently their hosted service (Nylas Pro?) runs on AWS, hence the IP's change frequently. This is documented here but this is still an astonishing number of connections for a mail client, that's supposed to retrieve and send emails.

[alexanderadam]

@franzos thank you for the awesome analysis!
I guess there won't be a better solution than really fork it, remove tracking and allow the usage without nylas servers. 😞

[franzos]

@alexanderadam I'm just disappointed.

The only reason I'm here is, because I believe that Nylas is building an amazing mail client. A unified interface across platforms, seamless integration with 3rd party apps such as CRM or data enrichment. However, by default Nylas Mail should communicate as LITTLE as possible. That means, after your first download and install, there should be 0 network activity. Only once you add your email accounts or enable this sort of data enrichment (clearbit.com), Nylas Mail should connect to the relevant servers.

Instead, users that simply don't know any better, download Nylas Mail (and previously N1) and have, for some part, no idea what's actually happening with their data. Alone the fact that all my email contacts are send to clearbit.com, is a huge red flag which I would like to protect users from! Who knows what else is going on behind the scene and what sort of arrangements Nylas Mail has with these individual vendors.

Here's what the average user goes trough to send an Email:

OS: Microsoft Windows - phones home to Microsoft, collects statistics about you
Mail provider: Google Mail - processed, enriched with Ads (they make money with your identity)
Mail client: Nylas Mail - sends all your contacts to wherever
Internet (ISP) - collects information about what you do (they make money with your identity)

It seems like a bad joke.

[grinich]

We don't share contact data with Clearbit. To make a Clearbit API request you need to send the email addesss as a query parameter. We proxy this server-side to anonymize the user as well as add our secret key. (We pay for Clearbit and give you the data for free.)

In the future we may turn this feature off completely if it gets too expensive and not enough people upgrade to a paid subscription. We don't have plans to sell ads so we need people to support us somehow.

I don't have time right now to do a full IP address review (we are having an outage and i need to help there) but I can tell you we use our own services for keeping track of billing/subscription state, we use segment/mixpanel for basic analytics, we use sentry for crash reporting, and Clearbit for enriching contacts. The omniproxy is just our front line loadbalancer for all services. (HAproxy on steroids)

You can also now build the oss project from scratch with this repo. (See last night's commits.) We don't claim to have the perfect solution for everyone but the great thing about open source is you can take our work in another direction if you want. We wholeheartedly welcome it!

[franzos]

@grinich Clearbit could be hacked, acquired or transform into a completely different business. In other words, all the people I've been in touch with, stand to lose their Email address to yet another corporation. Sure, the Clearbit integration is a fantastic idea and useful especially in sales but why can't we turn this into a plugin and make it optional - you know, for sales people.

Just by using Nylas Mail, my data goes to a lot of services:

• Yourself (Nylas)
• Clearbit.com (Enrichtment)
• Sentry.io (Error tracking - but what data is being logged? My IP?)
• Segment.io
• ?

Don't you find this a bit worrisome as default?

At the end of the day, I'd love to see a Nylas Mail that makes no assumption about it's users. I fully support the argument that you're building the best mail experience ever but on the way, please take a look at what YOU can do to help protect your users privacy. It's surprisingly easy: Not more secure, hack-proof infrastructure but simply less data / leaks / logs / services.

[grinich]

Since we did the open sores merge last night, I'm actually not sure how much of these packages exist in the main Nylas Mail repo. Happy to look at PRs that disable them or encourage forks with them removed completely.

[grinich]

*Open Source yikes autocorrect (I'm on my phone)

[franzos]

@grinich that would be great. Let's see what happens over the coming weeks.

[useretail]

clean version is definitely needed

[rscircus]

There exist privacy respecting alternatives. Search for them. Also checkout @franzos' comments and @herrbischoff's Questions regarding privacy and project motivation.

[herrbischoff]

My questions were never answered in a satisfying way. As you can see from now a dozen or so similar issues, Nylas simply doesn’t care about changing their product to be more privacy-respecting. As they never gave good reasons for doing what they do, one can only surmise it’s because of some financial motivation having to do with user data.

The “fork it or shut up” approach further undermines the motivations for open sourcing it in the first place. It appears to have something to do with reaping the benefits of free work from submitters, trying to build a platform, but pocketing the rewards privately.

Those are just some of the impressions you get when you are a little privacy-conscious, whether they are correct or not.

Whatever Nylas’ true motivations are (and I don’t doubt there are “true believers” just like in Facebook), I suggest an easy way: just don’t use it. It’s a shame, yes, but when you deal with a tone-deaf entity, eventually it’s time to let it go. They won’t change. They want something that is deeply linked to the way they built it. You should walk away and find a better solution. It wouldn’t be the first time that certain technology would have to be reinvented because the original inception was fiercely defended against change.

In the end, as long as people want stuff for free instead of paying a couple of bucks for privacy, “business models” like this one work. Unfortunately it’s a systemic problem that may only ever be resolved on a policy level, explicitly forbidding data mining or user profiling.

[franzos]

@herrbischoff I completely agree with you but this project is pretty much dead. I'd suggest you to checkout #3621. There are two, promising alternatives based on Nylas mail:

https://github.com/Foundry376/Mailspring
https://github.com/nylas-mail-lives/nylas-mail

[herrbischoff]

I see, so they finally revealed their true face in closing everything down and making it a commercial-only venture. Now you pay $84/year to get your privacy violated. Great stuff.

[rscircus]

@franzos, @herrbischoff, thanks for getting touch. I stared holes into their website and the issue tracker on my quest to find out, if I'm the product here for quite a while.

• Mailspring follows Nylas' approach with a "Mailspring ID".
• Nylas-mail-lives seems to deliver the promised land. Has some issues, though:

[herrbischoff]

I would just stay clear from this clusterfuck altogether. It is just not meant to be used in a privacy-friendly way. Imagine being given all of Facebook’s source code. You wouldn’t be able to decouple its tracking functions from the social media functions. They’re one.

[franzos]

What's all this negativity? Kudos to the Nylas Mail developers for bringing us such an amazing, flexible mail client and respect to everyone who's working to continue fixing bugs and making sure that we can enjoy this experience, on virtually every mainstream OS.

I sure don't agree with all the features but it's an open source project after all, and in time, we will see forks that fixe these privacy issues (mostly Clearbit integration). If you're familiar with your OS firewall software, or the host file, feel free to block all connections except for IMAP / SMTP.

Aside from that, since we're all so concerned about privacy, I hope you're all running a custom-build Linux / Unix OS because Mac OS / Windows / even Ubuntu loves to phone home. I've probably got 100+ entries in my host file, just to keep Mac OS quiet. Let's not talk about all the other applications, that are quietly communicating your every interaction ...

[rscircus]

@franzos, indeed. I think, @herrbischoff's response basically is a rant on many big co's behavior trying to feed on FOSS developers. And many evasive answers here seem to support this. To bring this search to an end: I'm sticking with GNOME's Geary for now.

PS: I'm a big fan of: https://surf.suckless.org/files/adblock-hosts using hosts-gen. 😊